Two stories jump out this week. One concerns the Internet’s coordinating mechanism, the other the pact that enables European data to be sent to the United States. Seemingly discrete, at a deeper level they are organically connected. The underlying issue is whether challenges to U.S. power over the system of international communications will intensify – or be shunted aside.
We have written before about the “Safe Harbor” agreement, which had governed data- transfers between Europe and the U.S. and which was struck down by the European Court of Justice three months ago because it did not offer sufficient guarantees that Europeans’ personal data were protected from eavesdropping by U.S. intelligence agencies. Would a new pact be devised, incorporating Europeans’ demands to strengthen privacy protections? What kinds of guarantees would be supplied?
An answer is now at hand. Although the prescribed negotiating deadline passed without agreement, two days late a deal was announced.[1] The US firms escaped the obligation to store their data in European lands; while, a new “EU-US Privacy Shield,” the European Commission declared, “will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans.” U.S. companies wishing to import personal data from Europe “will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.” The U.S. Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US Federal Trade Commission. In addition, “any company handling human resources data from Europe has to commit to comply with decisions by European Data Protection Administrations.” E.U. citizens will have access to an ombudsman located in the United States. And, “for the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”[2]
We will need to see during the months ahead just what level of protection the “Privacy Shield” actually offers. What’s interesting, though, is that considerable effort needed to be expended to reach even such a seemingly minimal agreement as this. Intense negotiations were conducted at the World Economic Forum in Davos, involving both governmental functionaries and trade groups. Satya Nadella, the CEO of Microsoft, editorialized that the Safe Harbor agreement – with its guarantee that corporations may transmit personal data from jurisdiction to jurisdiction – must be supplemented with “additional agreements, that enable privacy rights to follow data around the world.”[3] Google, by appointing as head of its global policy unit a onetime Obama Administration negotiator known for her calm, conciliatory style, reportedly was “burying its confrontational stance” in favor of more moderate international diplomacy.[4] Facebook publicized a report that it had commissioned, to emphasize disingenuously that the U.S. had actually become more “privacy friendly” than Europe.[5] Transatlantic data flows are simply too important to be left to the lower echelons.
Still, the data-hogging transnationals are not yet in the clear. Europe’s national privacy regulators are slated to release their own decision tomorrow, February 3d, on how data should be moved between the two regions. And a clamor that the EC had sold out 500 million Europeans is already audible. It is possible that some nations’ data protection authorities will prove more vigilant than their colleagues in the Commission. Thousands of U.S. companies, rooted in every sector, will be watching – eagle-eyed, we might say. No matter which way tomorrow’s decision goes, transborder data flows will still continue to constitute a crucial point of vulnerability for corporate capital.